Some bank websites use the property autofill=off in their web forms to tell browsers not to remember your password. I find this really annoying and wanted it to stop. It turns out you cannot override this setting with a custom CSS file, so another solution is required. We are going to intercept the page before Safari gets it, and remove all of the autofill=off tags.

Read the rest of the hint for my solution...

Here is my quick fix:

Turn on personal web sharing (System Prefs -> Sharing).

Create the following plain text file and save it in your user's Sites folder as remember.php:.

Edit your /etc/hosts file and add a line for each site you want to be stripped. For example:

127.0.0.1 wellsfargo

Notice that the .com is missing.

In the Terminal, type sudo killall -HUP lookupd to restart the lookup services.

Restart Safari.

Now when you want to access wellsfargo.com and have it remember your password, type wellsfargo in the location bar and hit enter. All of the autofill=off tags will be stripped out, and Safari will remember your username and password.

There is a reason why banks use this in their forms: SAFETY!!! Why would you want your browser or computer to store your passwords anyway.
Your brain is the best and most secure database. Nothing gets lost, just sometimes unretrievable. ;)

Why would you want your browser or computer to store your passwords anyway.

Are you joking?
I personally need my mac to remember my numerous passwords!
BTW, it's not the browser which "remember" the pw but the keychain.
And that's what it's for, no? To have one password to access all the others.
Nobody can't access it without my account pw anyway.

I access my bank account thru a local app anyway, but this trick is useful for admin console login at certain Internet hosts. When you have to manage numerous accounts this really make life easier.

Maybe I don't know how keychain works, but whenever I go to a site that I have saved the login info for, Safari/Keychain just autofills the id & password. The only time it asks me what to do, is after I've rebuilt permissions, following an OS update. When this does happen, it just asks whether I want to deny this action, allow it once, or always allow it. No password is requested.

Again, maybe I don't know how Keychain is supposed to work, but I would like it to ask me for a password, but it never does.

It's quite obvious if you open up Keychain access and wander around. You are being lazy.

Two options:
- Keep the whole keychain permanently locked going to Edit > Change settings for keychain "login" (or whatever other keychain you'd like to secure. Tick "Lock after 0 sec of inactivity". You will be prompted to enter your keychain password every time any application tries to access it.

- Secure individual keys. Select a key, go to "Access control" tab, and remove Safari from the list of applications allowed to access that item.

Surely some of you smart AppleScripterz can devise a script that will do the same thing? It would be cool to do it that way instead of having another running process on my machine. You what I'm saying? I think you do.

Yeah, but how? Is Machete expecting AppleScript? JavaScript? A shell script? I can't find any reference in the documentation other than the sentence, "Run script on the contents of the main url before it gets rendered by the browser."

Yep, a PithHelmet machete script works nicely for this. I also use one to strip accesskey tags that annoyingly interfere with Emacs-style control key shortcuts during text editing, especially on several forums.

If you use OmniWeb instead of Safari for these type of sites, there is a much easier solution.

Go to the site you want to use, edit the source code and remove the autocomplete=off parameter, tell OmniWeb to redisplay the page. Then enter your username and password and tell OmniWeb to save it. That's it! From now on, whenever you go to that site with OmniWeb, it will enter your username and password from your keychain.

Please note that for some sites you might have to use OmniWeb's site preferences and identify your browser as Safari or IE.

Oh yes... FINALLY! :-) I did string searches, and looked at everything I could think of to stop Safari from doing this, never came up with anything. THANK YOU.

Technical tidbit: Looked at the PithHelmet suggestion and Machette script. I had to tweak it slightly to strip out "AUTOCOMPLETE" as well as "AUTOFILL", or some sites still wouldn't save the information.

Now, on to the rant...

The concept that a webmaster somewhere knows better about how to manage my information than I do is absurd... I realize that for people running Windows, security of "stored passwords" may be easy to break, but on the Mac with keychain storage I don't think you run the same risks. I have mine set to re-lock after 15 minutes of inactivity, and also when the system goes to sleep.

Basically, this lets me properly have the computer do it's job, keeps people out who don't know my keychain password, and prevents me from having to store all the passwords in a stupid text file or something like that. It also lets me use unique passwords on many sites, since I no longer have to remember manually which are which, and that really improves security.

I completely agree. The autocomplete attribute is a non-standard Internet Explorer extension, and it should not be used. This is why Mozilla provides a setting called wallet.crypto.autocomplete.override. When true, it tells Mozilla to ignore the attribute.

There's a catch, however. If a web site uses autocomplete=off and knows that a certain browser ignores the setting, the webmaster may decide to block users of that browser. This is why Mozilla ships with wallet.crypto.autocomplete.override off.

Camino users are in even worse shape: It doesn't even support the setting to begin with! That's why I wrote a patch to add autocomplete override support in Camino: https://bugzilla.mozilla.org/show_bug.cgi?id=247919

Unfortunately, it still has not been committed. For this and other reasons, I have since switched to OmniWeb, which ignores autocomplete by default, just as a good web browser should.

I thought I did everything as the script said, but I still can't get this to work. My problem is that I know little to nothing of the terminal and tried to do most everything with text edit. I've verified all the steps, yet seem to run into a problem when checking to see if the index.html file has what it says it should have. When I open it, however, it's empty. Everything else is where it should be and as it should be. ...to the best of my knowledge, anyway.

the index.html file that you need to edit is in /Library/WebServer/Documents . Note that this is no the same as the index.html in /Users/yourUserName/Sites. This file is owned by root which means in order to edit it, you have to have root privileges (which text edit does not)

Using the program called skeleton Key, you can run text edit as root and you will be able to change the file.

It can be found at http://versiontracker.com/dyn/moreinfo/macosx/11927

Thanks for the application, but I still can't get it to work. I'm saving the index.html to the proper place, but when I save a plain text file and then rename it index.html, all of the information that I pasted in the text file is wiped out. I've verified this by trying to re-access said information.

Are you sure this works? I know my way around the terminal and webservers, but this just breaks instantly.

Safari just displays the contents of remember.php, so I stuck some html tags around it. Now I just get a url of http://localhost/~reh/remember.php?url=http://wellsfargo/* because safari adds "http://" and "/" to the wellsfargo bit.

I tried working on the two files, but my javascript and php skills are still rather limited.

Voila! Only one line of code and no /etc/hosts tinkering. Citibank is being problamatic though. I'm still working on that. Also, the autologin information is stored under your domain name in the keychain, but that shouldn't be a problem since safari can handle multiple logins on the same domain.

Not sure if this works in Safari... Thanks!!!
Authored by: sr105 on Oct 17, '04 09:26:26PM

I've been trying to get the very same wells fargo page to remember my login and password since what seems like forever. This bookmarklet worked perfectly (with Firefox). To make it simpler for others:

Go to the link given in the previous post. Click and drag the "remember password" grey box into your bookmarks toolbar. Then load http://www.wellsfargo.com. Now click on that "remember password" link in your toolbar. It should say something like this:

"Removed autocomplete=off from 1 form and from 2 form elements, and removed onsubmit from 0 forms. After you..."

To make a good solution for this problem it should be implemented on browser level just because of https - external proxy/filter cannot tamper encrypted traffic and autocomplete removal will not work in this case.

The best way would be some safari plugin, also it's possible to hack WebCore and make it forget about this AUTOCOMPLETE nonsense (I've done this one on my laptop and it works fine so far).

In brief. If you don't understand something than simply don't do it and ask someone who knows how to deal with a binary editor.

1. Quit Safari and you'll need HexEdit.
2. Find original (not link/alias) WebCore file in some subdirectory in /System/Library/ .
3. Make a backup of the file.
4. Open it in HexEdit, find words "autocomplete" and "AUTOCOMPLETE" (both should be surrounded by \0 !!!)
5. Replace first character of both words with some other character.
6. Save changes.

Brilliant -- and one of the best tips on this site. As far as I know, MacOSXHints is the only place this is documented. Worth noting is that it may need to be re-done after installing Mac OS X's periodic system or security updates. I applied this hack to Safari (v2.0) in Tiger, and it still works.

I have the autofill-blocked problem with a few websites (described below), and I suspect that the hints described so far won't work, since these sites don't seem to contain autocomplete=off in their HTML.

1) <https://bishop.34sp.com:8443/login.php3> seems to use two forms, one for username, one for password. Some Javascript combines the information together into one form before submission.

3) I have a NetGear "Wireless ADSL Firewall Router" (DG834G) which has a configuration interface that is locally accessible at <http://192.168.0.1/>. When I go to that URL, Safari gives a sheet prompting me for username and password, with a check box for "remember this password". (It also tells me that my password will be sent in the clear -- perhaps this is relevant?) However, checking the "remember" box doesn't seem to work -- when I visit that URL again, I have to re-enter the password again. Also, even though I have checked the box, nothing is listed under that URL in Safari Preferences -> AutoFill -> Edit User names and passwords. Could this be because the URL contains a numeric IP address?

I think I understand why Safari does not remember the codes in the first case, but I'd welcome explanations for the last two, and hints for how to get Safari to remember codes for all cases.

1. rewrite the code so it only uses one form, or use firefox.
2. rewrite the code fragment "input...type = PASSWORD" with "input...type = text" for one of the two fields.
3. i can't verify this problem on my machine.

Thanks, ra5ul. Following your suggestion, for site no 1, I rewrote the HTML as one simple form. I added a <base href="https://bishop.34sp.com:8443/"> tag in the <head> section and saved it as a local .html file. Now when I view that local file in Safari, I can log in from there, and Safari offers to and successfully saves the password. :)